LM
/
coreos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(certificates-and-keys-native): add developer keys and certificates 

The certificates and keys are stored in a repository and taken from there.
It is a neative repository that puts the keys into the sysroot where other
recipes can take them

All the key related scripts where deleted or put in the development-keys
repository.

Basic simplifications where done, there is yet still room for improvement.
This commit is contained in:
Patrick Vogelaar 2024-01-17 16:40:52 +01:00
parent b819d0746d
commit 5b23df1199
9 changed files with 73 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
coreos-init-build-env
View File

@ -92,18 +92,3 @@ coreos-bblayers-envsub COREOS_EXTLAYERSDIR "${COREOS_ROOT}/external-layers"
# stdout is redirected to reduce the amount of output but not stderr # stdout is redirected to reduce the amount of output but not stderr
# #
#Note: if a final build is detected all the dev keys are deleted #Note: if a final build is detected all the dev keys are deleted
if [ "$CreateFinal" = "true" ]; then
echo "\nFinal build detected delete dev keys and dont use or generate them" >&2
rm -rf "${BUILDDIR}/keys"
else
echo "\nNo final build detected use development keys" >&2
coreos-get-dev-keys > /dev/null || {
echo "The coreos-get-dev-keys script has failed" >&2
}
coreos-keygen > /dev/null || {
echo "The coreos-keygen script has failed" >&2
return 1
}
fi

28
layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
View File

@ -3,7 +3,7 @@
# UEFI Secure boot configuration # UEFI Secure boot configuration
# ============================================================================== # ==============================================================================
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys" COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
# UEFI Secure boot helpers # UEFI Secure boot helpers
@ -16,12 +16,12 @@ HOSTTOOLS += "sbsign"
# Ensure that the public keys are always deployed to the deploy directory # Ensure that the public keys are always deployed to the deploy directory
# before running wic # before running wic
do_image_wic[depends] += "efi-secureboot-keys:do_deploy" do_image_wic[depends] += "certificates-and-keys-native:do_deploy"
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0" COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
def get_coreos_secureboot_efi_boot_files(d): def get_coreos_secureboot_efi_boot_files(d):
""" """
Return the list of pubkey file inside deploy if Return the list of pubkey file inside deploy if
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
otherwise otherwise
""" """
@ -31,26 +31,4 @@ def get_coreos_secureboot_efi_boot_files(d):
IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}" IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
def get_coreos_secureboot_keydir_hash(d):
"""
Generate a space separate list, with a value for each file inside of
keydir. Fromat: <filename>:md5:<md5sum>
"""
import hashlib
keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
value = ""
for keyname in os.listdir(keydir):
filepath = os.path.join(keydir, keyname)
if os.path.isfile(filepath):
md5 = bb.utils.md5_file(filepath)
value += f"{keyname}:md5:{md5} "
return value
# The build system should detect if someone change one of the key inside
# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
# depends on this directory
COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"

2
layers/meta-belden-coreos-bsp/recipes-bsp/u-boot/u-boot-coreos-efi.inc
View File

@ -5,7 +5,7 @@ SRC_URI += " \
file://uefi-secureboot.cfg \ file://uefi-secureboot.cfg \
" "
DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native" DEPENDS:append = " ${PYTHON_PN}-pyopenssl-native u-boot-tools-native certificates-and-keys-native"
# Generate a ubootefi.var file inside the build directory # Generate a ubootefi.var file inside the build directory
# #

33
layers/meta-belden-coreos/recipes-bsp/efi/efi-secureboot-keys.bb
View File

@ -1,33 +0,0 @@
SUMMARY = "A recipe to deploy UEFI public keys update files"
LICENSE = "CLOSED"
INHIBIT_DEFAULT_DEPS = "1"
inherit nopackages
inherit deploy
inherit coreos-efi-secureboot
# Public key needed by firmware very depending on the implementation
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
addtask deploy after do_compile
do_deploy() {
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.auth ${DEPLOYDIR}/KEK.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.auth ${DEPLOYDIR}/db.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.auth ${DEPLOYDIR}/PK.auth
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.esl ${DEPLOYDIR}/KEK.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.esl ${DEPLOYDIR}/db.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.esl ${DEPLOYDIR}/PK.esl
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.crt ${DEPLOYDIR}/KEK.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.crt ${DEPLOYDIR}/db.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.crt ${DEPLOYDIR}/PK.crt
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/KEK.der ${DEPLOYDIR}/KEK.der
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/db.der ${DEPLOYDIR}/db.der
install -D -m 644 ${COREOS_EFI_SECUREBOOT_KEYDIR}/PK.der ${DEPLOYDIR}/PK.der
# !SECURITY WARNING!
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
}

2
layers/meta-belden-coreos/recipes-bsp/efibootguard/efibootguard_%.bbappend
View File

@ -9,6 +9,8 @@ SRC_URI += "file://0001-coreos-add-a-coreos-specific-rootfs-switch-to-the-UK.pat
# Add signature support # Add signature support
# ============================================================================== # ==============================================================================
DEPENDS:append = " certificates-and-keys-native"
inherit coreos-efi-sbsign inherit coreos-efi-sbsign
require conf/image-uefi.conf require conf/image-uefi.conf

65
layers/meta-belden-coreos/recipes-security/certificates-and-keys/certificates-and-keys-native_1.0.bb Normal file
View File

@ -0,0 +1,65 @@
SUMMARY = "Installs certificates and keys"
DESCRIPTION = "Installs certificates and keys that are used during the build"
AUTHOR = "Patrick Vogelaar"
LICENSE = "CLOSED"
SRC_URI = "git://git@bitbucket.gad.local:7999/ico/development-keys.git;protocol=ssh;branch=master"
SRCREV = "2b5d6941ea8759db90f07e195bb1855f618cccb7"
S = "${WORKDIR}/git"
inherit deploy native
CERTIFICATES_AND_KEYS_DIR ?= "${datadir}/keys/"
#FILES:${PN} += "${CERTIFICATES_AND_KEYS_DIR}/*"
do_install() {
install -d "${D}/${CERTIFICATES_AND_KEYS_DIR}"
install -m 755 ${S}/db.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.auth
install -m 755 ${S}/db.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.crt
install -m 755 ${S}/db.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.der
install -m 755 ${S}/db.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.esl
install -m 755 ${S}/db.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/db.key
install -m 755 ${S}/KEK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.auth
install -m 755 ${S}/KEK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.crt
install -m 755 ${S}/KEK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.der
install -m 755 ${S}/KEK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.esl
install -m 755 ${S}/KEK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/KEK.key
install -m 755 ${S}/PK.auth ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.auth
install -m 755 ${S}/PK.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.crt
install -m 755 ${S}/PK.der ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.der
install -m 755 ${S}/PK.esl ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.esl
install -m 755 ${S}/PK.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/PK.key
install -m 755 ${S}/swupdate.crt ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.crt
install -m 755 ${S}/swupdate.key ${D}/${CERTIFICATES_AND_KEYS_DIR}/swupdate.key
bbwarn "Development certificates and keys are added into the image (UNSECURE)! This image must not be released!"
}
# Public key needed by firmware very depending on the implementation
# So we copy all type of public key (*.auth, *.esl, *.crt, *der)
addtask deploy after do_compile
do_deploy() {
install -D -m 644 ${S}/KEK.auth ${DEPLOYDIR}/KEK.auth
install -D -m 644 ${S}/db.auth ${DEPLOYDIR}/db.auth
install -D -m 644 ${S}/PK.auth ${DEPLOYDIR}/PK.auth
install -D -m 644 ${S}/KEK.esl ${DEPLOYDIR}/KEK.esl
install -D -m 644 ${S}/db.esl ${DEPLOYDIR}/db.esl
install -D -m 644 ${S}/PK.esl ${DEPLOYDIR}/PK.esl
install -D -m 644 ${S}/KEK.crt ${DEPLOYDIR}/KEK.crt
install -D -m 644 ${S}/db.crt ${DEPLOYDIR}/db.crt
install -D -m 644 ${S}/PK.crt ${DEPLOYDIR}/PK.crt
install -D -m 644 ${S}/KEK.der ${DEPLOYDIR}/KEK.der
install -D -m 644 ${S}/db.der ${DEPLOYDIR}/db.der
install -D -m 644 ${S}/PK.der ${DEPLOYDIR}/PK.der
# !SECURITY WARNING!
# .key file are not copied to DEPLOYDIR, as they contains the PRIVATE keys
}

2
layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend
View File

@ -5,6 +5,8 @@ REQUIRED_DISTRO_FEATURES = "swupdate"
# same file in meta-swupdate # same file in meta-swupdate
FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:" FILESEXTRAPATHS:prepend := "${THISDIR}/swupdate:"
DEPENDS += "certificates-and-keys-native"
SRC_URI += "\ SRC_URI += "\
file://50-webserver-config.sh \ file://50-webserver-config.sh \
file://25-sw-collections-config.sh \ file://25-sw-collections-config.sh \

88
scripts/coreos-get-dev-keys
View File

@ -1,88 +0,0 @@
#!/usr/bin/env bash
# This script will get development keys needed by the UEFI secure boot
# implementation from the k-stufen web share and put the under $BUILDDIR/keys
#
# The reason for every developer to have the same keys is that image/update
# filest are interchangable.
# Those developer keys are used for all builds except the ones that are marked
# as final. Here the official keys will be used.
#
# Following keys will be downloaded
# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key
# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl
# This script is used every time the build environment of CoreOS is sourced
# Note: in the build environment stdout is redirected to /dev/null but not
# stderr.
set -e
# Logging helper
RED='\033[0;31m'
GREEN='\033[0;32m'
BOLD='\033[1m'
RESET='\033[0m'
# Ensure that BUILDDIR is defined
# ==============================================================================
# This is usually done inside the coreos-init-build-env script
if [ -z "$BUILDDIR" ]; then
echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
echo -e "Have you run the coreos-init-buildenv script?" 2>&1
exit 1
fi
# We need the KEYDIR directory to exist
# ==============================================================================
KEYDIR="${BUILDDIR}/keys"
mkdir -p "${KEYDIR}"
cd "${KEYDIR}"
# we need wget and tar
# ==============================================================================
assert_command_in_path() {
if command -v "$1" >/dev/null 2>&1; then
echo -e "✓ Command ${GREEN}${1}${RESET} was found"
else
echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2
echo -e "Please check the coreos-documentation for the list of required packages" >&2
exit 1
fi
}
assert_command_in_path wget
assert_command_in_path tar
# Generate all they keys, as needed
# ==============================================================================
# Only generate the file if it's missing and don't fail if the file already
# exist
check_files_exist() {
RET=0
for file in "$@"; do
if [ ! -e "$file" ]; then
echo -e "𐄂 File ${RED}${file}${RESET} missing"
RET=1
else
echo -e "✓ File ${GREEN}${file}${RESET} already exist"
fi
done
return $RET
}
check_files_exist db.auth db.crt db.der db.esl db.key KEK.auth KEK.crt KEK.der \
KEK.esl KEK.key PK.auth PK.crt PK.der PK.esl PK.key || \
{
echo -e "${RED}Incosistent or no keys.${RESET}"
echo "Downloading Keys"
wget -q https://platform-nas.gad.local/K-Stufen/CoreOS/.signing/coreos_developer_signing.keys.tar.gz && \
tar -xzf coreos_developer_signing.keys.tar.gz -C ${BUILDDIR}/keys && \
rm coreos_developer_signing.keys.tar.gz
}

117
scripts/coreos-keygen
View File

@ -1,117 +0,0 @@
#!/usr/bin/env bash
# This script will generate key needed by the UEFI secure boot implementation
# under $BUILDDIR/keys
# db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key
# db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl
# This script is used every time the build environment of CoreOS is sourced
# Note: in the build environment stdout is redirected to /dev/null but not
# stderr.
set -e
# Logging helper
RED='\033[0;31m'
GREEN='\033[0;32m'
BOLD='\033[1m'
RESET='\033[0m'
# Ensure that BUILDDIR is defined
# ==============================================================================
# This is usually done inside the coreos-init-build-env script
if [ -z "$BUILDDIR" ]; then
echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1
echo -e "Have you run the coreos-init-buildenv script?" 2>&1
exit 1
fi
# We need the KEYDIR directory to exist
# ==============================================================================
KEYDIR="${BUILDDIR}/keys"
mkdir -p "${KEYDIR}"
cd "${KEYDIR}"
# we need openssl, cert-to-efi-sig-list and sign-efi-sig-list
# ==============================================================================
assert_command_in_path() {
if command -v "$1" >/dev/null 2>&1; then
echo -e "✓ Command ${GREEN}${1}${RESET} was found"
else
echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2
echo -e "Please check the coreos-documentation for the list of required packages" >&2
exit 1
fi
}
assert_command_in_path openssl
assert_command_in_path cert-to-efi-sig-list
assert_command_in_path sign-efi-sig-list
# Generate all they keys, as needed
# ==============================================================================
# Only generate the file if it's missing and don't fail if the file already
# exist
check_files_exist() {
RET=0
for file in "$@"; do
if [ ! -e "$file" ]; then
echo -e "𐄂 File ${RED}${file}${RESET} missing"
RET=1
else
echo -e "✓ File ${GREEN}${file}${RESET} already exist"
fi
done
return $RET
}
echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
check_files_exist PK.key PK.crt || \
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
-keyout PK.key -out PK.crt -nodes -days 365
check_files_exist KEK.key KEK.crt || \
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
-keyout KEK.key -out KEK.crt -nodes -days 365
check_files_exist db.key db.crt || \
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
-keyout db.key -out db.crt -nodes -days 365
echo "Generatic EFI signature list file with PK, KEK et db public key"
check_files_exist PK.esl || \
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
PK.crt PK.esl;
check_files_exist KEK.esl || \
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
KEK.crt KEK.esl
check_files_exist db.esl || \
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
db.crt db.esl
echo "Generatic EFI AUTH file with PK, KEK et db public key"
check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
echo "Generatic DER files with PK, KEK et db public key"
# der certificate are need for OVMF based firmware (virtual machine)
check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der
check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der
check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der
# keys needed to sign and verify SWUpdate
check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \
-out swupdate.crt -subj "/O=SWUpdate /CN=target"